Re: Jenkins amplification

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <mike.meredith () port ac uk> wrote:
> On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
> <morrowc.lists () gmail com> may have written:
> > My experience, and granted it's fairly scoped, is that this sort of thing
> > works fine for a relatively small set of 'persons' and 'resources'.
>
> Seeing as managing this sort of thing is my primary job these days ...

<beer, you probably deserve one> :)

> > it ends up being about the cross-product of #users * #resources.
>
> That's the interesting part of the job - coalescing rules in a way that
> minimises the security impact but maximises the decrease of complexity. If
> you don't, you get an explosion of complexity that results in a set of
> rules (I know of an equivalent organisation that has over 1,000 firewall
> rules) that becomes insanely complex to manage.

I think the fact that it's hard to keep all of this going and to
contain the natural spread of destruction (that it takes someone with
a pretty singular foc us) makes my point.

> > certainly a more holistic version of the story is correct.
> > the relatively flippant answer way-back-up-list of: "vpn"
>
> I think that "vpn" is the right answer - it's preferrable to publishing
> services to the entire world that only need to be used by empoyees. But
> it's not cheap or easy.

Weighing the cost/benefit is certainly each org's decision.
having lived without vpn for a long while and under the regime of
authen/author for users with proper token/etc access... I'd not want
my internal network opened to the wilds of vpn users :( (I actively
discourage this at work because there are vanishingly small reasons
why a full network connection is really required by a user at this
point).

anyway, good luck!